You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by br...@apache.org on 2013/05/03 23:57:38 UTC
[08/50] git commit: [#2835] avoid double-escaping solr text by
escaping it only on the way out. tests
[#2835] avoid double-escaping solr text by escaping it only on the way out. tests
Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/69d75753
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/69d75753
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/69d75753
Branch: refs/heads/db/6007
Commit: 69d757538ad8d5c30cffe491b56c8b701f7c4dd8
Parents: c8311bb
Author: Dave Brondsema <db...@slashdotmedia.com>
Authored: Thu Apr 25 20:20:12 2013 +0000
Committer: Dave Brondsema <db...@slashdotmedia.com>
Committed: Mon Apr 29 13:38:36 2013 +0000
----------------------------------------------------------------------
Allura/allura/lib/search.py | 4 +-
Allura/allura/tests/unit/test_solr.py | 86 +++++++++++++++++++++++++++-
2 files changed, 85 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/69d75753/Allura/allura/lib/search.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/search.py b/Allura/allura/lib/search.py
index 203e37a..d43af9c 100644
--- a/Allura/allura/lib/search.py
+++ b/Allura/allura/lib/search.py
@@ -46,8 +46,6 @@ def solarize(obj):
text = doc['text']
text = g.markdown.convert(text)
doc['text'] = jinja2.Markup.escape(text).striptags()
- # striptags decodes html entities, so we should escape them again
- doc['text'] = jinja2.Markup.escape(doc['text'])
return doc
class SearchError(SolrError):
@@ -201,7 +199,7 @@ def search_app(q='', fq=None, app=True, **kw):
score_url = url(request.path, params=params)
params.update({'sort': date_url})
date_url = url(request.path, params=params)
- return dict(q=q, history=history, results=results or [],
+ return dict(q=q, history=history, results=list(results) or [],
count=count, limit=limit, page=page, search_error=search_error,
sort_score_url=score_url, sort_date_url=date_url,
sort_field=field)
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/69d75753/Allura/allura/tests/unit/test_solr.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/unit/test_solr.py b/Allura/allura/tests/unit/test_solr.py
index 5226f07..f431ea3 100644
--- a/Allura/allura/tests/unit/test_solr.py
+++ b/Allura/allura/tests/unit/test_solr.py
@@ -16,11 +16,15 @@
# under the License.
import unittest
+
import mock
from nose.tools import assert_equal
+from markupsafe import Markup
+from allura.lib import helpers as h
+from allura.tests import decorators as td
from allura.lib.solr import Solr
-from allura.lib.search import solarize
+from allura.lib.search import solarize, search_app
class TestSolr(unittest.TestCase):
@mock.patch('allura.lib.solr.pysolr')
@@ -72,5 +76,83 @@ class TestSolarize(unittest.TestCase):
obj = mock.MagicMock()
obj.index.return_value = {'text': '<script>alert(1)</script>'}
assert_equal(solarize(obj), {'text': ''})
+
obj.index.return_value = {'text': '<script>alert(1)</script>'}
- assert_equal(solarize(obj), {'text': '<script>alert(1)</script>'})
+ assert_equal(solarize(obj), {'text': '<script>alert(1)</script>'})
+
+
+class TestSearch_app(unittest.TestCase):
+
+ @td.with_wiki
+ @mock.patch('allura.lib.search.url')
+ @mock.patch('allura.lib.search.request')
+ def test_basic(self, req, url_fn):
+ req.GET = dict()
+ req.path = '/test/search'
+ url_fn.side_effect = ['the-score-url', 'the-date-url']
+ with h.push_context('test', 'wiki', neighborhood='Projects'):
+ resp = search_app(q='foo bar')
+ assert_equal(resp, dict(
+ q='foo bar',
+ history=None,
+ results=[],
+ count=0,
+ limit=25,
+ page=0,
+ search_error=None,
+ sort_score_url='the-score-url',
+ sort_date_url='the-date-url',
+ sort_field='score',
+ ))
+
+ @td.with_wiki
+ @mock.patch('allura.lib.search.g.solr.search')
+ @mock.patch('allura.lib.search.url')
+ @mock.patch('allura.lib.search.request')
+ def test_escape_solr_text(self, req, url_fn, solr_search):
+ req.GET = dict()
+ req.path = '/test/wiki/search'
+ url_fn.side_effect = ['the-score-url', 'the-date-url']
+ results = mock.Mock(hits=2, docs=[
+ {'id': 123, 'type_s':'WikiPage Snapshot', 'url_s':'/test/wiki/Foo', 'version_i':2},
+ {'id': 321, 'type_s':'Post'},
+ ], highlighting={
+ 123: dict(title='some #ALLURA-HIGHLIGHT-START#Foo#ALLURA-HIGHLIGHT-END# stuff',
+ text='scary <script>alert(1)</script> bar'),
+ 321: dict(title='blah blah',
+ text='less scary but still dangerous <script>alert(1)</script> '
+ 'blah #ALLURA-HIGHLIGHT-START#bar#ALLURA-HIGHLIGHT-END# foo foo'),
+ },
+ )
+ results.__iter__ = lambda self: iter(results.docs)
+ solr_search.return_value = results
+ with h.push_context('test', 'wiki', neighborhood='Projects'):
+ resp = search_app(q='foo bar')
+
+ assert_equal(resp, dict(
+ q='foo bar',
+ history=None,
+ count=2,
+ limit=25,
+ page=0,
+ search_error=None,
+ sort_score_url='the-score-url',
+ sort_date_url='the-date-url',
+ sort_field='score',
+ results=[{
+ 'id': 123,
+ 'type_s': 'WikiPage Snapshot',
+ 'version_i': 2,
+ 'url_s': '/test/wiki/Foo?version=2',
+ # highlighting works
+ 'title_match': Markup('some <strong>Foo</strong> stuff'),
+ # HTML in the solr plaintext results get escaped
+ 'text_match': Markup('scary <script>alert(1)</script> bar'),
+ }, {
+ 'id': 321,
+ 'type_s': 'Post',
+ 'title_match': Markup('blah blah'),
+ # highlighting in text
+ 'text_match': Markup('less scary but still dangerous &lt;script&gt;alert(1)&lt;/script&gt; blah <strong>bar</strong> foo foo'),
+ }]
+ ))